[CVE-2023-25806] [Backport 2.6] Flatten response times #2472
Conversation
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
|
The whitesource is a known issue that we are still waiting for a fix from the dependency provider. |
cwperks
changed the title
|
Last windows CI failure was flaky. Merging this now to unblock the release train. There is no platform specific logic in this PR and the other checks have passed. The team will ensure that CI for the failing check on windows with JDK 17 passes post merge. |
|
Thank you @cwperks |
peternied
changed the title
|
Thank you for fixing this issue. Can anyone tell my why the related advisory is not visible in the advisory database ( https://github.com/advisories)? I also have looked for unreviewed advisories. Because of this our security management system has no access to this advisory. The CVE-2023-25806 has no CPEs attached, so our system can't match the CVE to OpenSearch. Is it possible to provide CPEs to the CVE? |
|
@AndreVirtimo Thank you for reaching out. Looks like the NVD is still analyzing the CVE and it might take few more days before it appears on the advisory database. You can monitor here: https://nvd.nist.gov/vuln/detail/CVE-2023-25806 |
|
@AndreVirtimo Our advisory for this issue is available here - while waiting on the NVD analysis does that cover what you are looking for? |
|
@peternied I know that the advisory is there. This was my first contact with the issue. I wondered why the advisory was not in our mirror of Github Advisories. In this project I can see 5 advisories. 3 of them are also listed here. The advisories GHSA-wmx7-x4jp-9jgg and GHSA-c6wg-cm5x-rqvj are not in this database. Is there a need to publish this advisories to the database? I wish to find all advisories in the Github database. Because we are scanning this database to detect possible vulnerabilities. |
|
@AndreVirtimo The advisory is now visible on the database: https://github.com/advisories?query=CVE-2023-25806
|
|
@DarshitChanpura thank you. I can now also see the advisory in our security scanner. Did you have to explicitly publish the advisory or what was the issue? |
The advisory wasn't connected to the Maven artifact, which caused Github to not pick it up correctly. |
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Description
Manually backport reponse time flattening for 2.6 release
Testing
Includes InternalAuthBackendTests.java test file.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.